Data Privacy & DPDPA
The Digital Personal Data Protection Act 2023 carries a maximum penalty of INR 250 crore. That number is not theoretical. It is the price of getting this wrong.
Data privacy is not a compliance checkbox. It is the new social contract between enterprises and the individuals whose data fuels the digital economy. The organisations that understand this will not merely comply with DPDPA — they will earn the trust that defines market leadership.
Anandaday Misshra
Founder & Managing Partner
Overview
On 11 August 2023, India enacted the Digital Personal Data Protection Act. For the first time, Indian businesses face a comprehensive data privacy regime with real enforcement teeth. Consent management, data principal rights, cross border transfer restrictions, data breach notification, and a maximum penalty of INR 250 crore for non compliance. Most companies are still figuring out what DPDPA means for their operations. At AMLEGALS, we have been preparing for this since the first draft of the Personal Data Protection Bill in 2018. Through the Vibe Data Privacy framework, we provide end to end DPDPA implementation covering gap assessments, consent architecture, data mapping, privacy impact assessments, breach response protocols, and DPO services. We do not sell compliance checklists. We build privacy programmes that protect businesses, satisfy regulators, and earn the trust of data principals.
Understanding Data Privacy & DPDPA
India took seven years from the Supreme Court’s recognition of privacy as a fundamental right (Puttaswamy, 2017) to enacting comprehensive data protection legislation. The Digital Personal Data Protection Act 2023 represents a deliberate framework designed for Indian conditions while drawing on global best practices.
DPDPA applies to digital personal data processed within India and to processing outside India if it relates to offering goods or services to data principals in India. The scope is broad. Every company that collects personal data digitally, which means virtually every company, falls within the Act’s ambit.
The consent architecture under DPDPA is specific. Consent must be free, specific, informed, unconditional, and unambiguous. This is not a cookie banner exercise. It requires fundamental redesign of how businesses collect, process, and communicate about personal data. Consent notices must be in clear plain language. Purpose limitation is mandatory. Data minimisation is required.
Children’s data receives special protection. Processing personal data of children (under 18) requires verifiable parental consent. Targeted advertising directed at children is prohibited. Companies in ed tech, gaming, social media, and any sector serving younger audiences face specific compliance obligations.
Cross border data transfers are restricted to countries or territories notified by the central government. Until notifications are issued, businesses must assess their international data flows and implement contractual safeguards. For GCCs and multinational companies, this is a critical compliance area.
The Data Protection Board of India will enforce the Act. Penalties range up to INR 250 crore as the maximum penalty ceiling. The Board will adjudicate complaints, impose penalties, and develop enforcement jurisprudence.
Regulatory Landscape
DPDPA 2023 establishes a principles based framework. Key obligations for Data Fiduciaries include lawful processing with valid consent or legitimate use grounds, purpose limitation, data minimisation, accuracy, storage limitation, and security safeguards.
Data Principal rights include right to access information about processing, right to correction and erasure of personal data, right to grievance redressal, and right to nominate a representative. Data Fiduciaries must establish mechanisms to fulfil these rights within prescribed timelines.
Significant Data Fiduciaries (SDF) face additional obligations including Data Protection Officer appointment, periodic data audits, Data Protection Impact Assessments, and compliance with any additional conditions prescribed by the government. SDF classification will be based on volume and sensitivity of data processed, risk to data principal rights, and potential impact on national security.
The IT Act 2000 and SPDI Rules 2011 continue to apply alongside DPDPA for matters not covered by the new Act. Sectoral regulators (RBI, SEBI, IRDAI, TRAI) maintain their own data protection requirements that businesses must comply with in addition to DPDPA.
DPDPA Rules, when notified, will provide detailed procedural requirements for consent management, breach notification timelines, cross border transfer mechanisms, and Data Protection Board procedures.
Key Practice Areas
DPDPA Implementation
Comprehensive implementation covering gap assessment, consent architecture, privacy notices, data principal rights mechanisms, grievance redressal, and compliance documentation. We build programmes that work in practice, not just on paper.
Privacy Impact Assessments
Data Protection Impact Assessments for new products, services, and processing activities. Identification and mitigation of privacy risks before they become compliance failures.
DPO as a Service
External Data Protection Officer services for companies that need DPO expertise without full time recruitment. Regulatory interface, compliance monitoring, and board reporting.
Cross Border Data Transfers
Advisory on DPDPA cross border transfer restrictions, government notification requirements, and contractual mechanisms for international data flows. Particularly relevant for GCCs and multinational operations.
Consent Management
Consent architecture design, notice drafting, and consent lifecycle management. DPDPA requires specific, informed, and unconditional consent. We design systems that achieve this without disrupting user experience.
Data Breach Response
Breach notification to the Data Protection Board, data principal communication, forensic investigation coordination, and regulatory engagement. The response in the first 72 hours defines the outcome.
TCL Framework Application
Technical
Understanding data flows, processing activities, technology architecture, and system capabilities. Privacy implementation that ignores technical reality creates policy documents that nobody follows.
Commercial
Privacy compliance must integrate with business operations, not obstruct them. We design consent mechanisms, data retention policies, and processing frameworks that satisfy legal requirements while supporting business objectives.
Legal
DPDPA 2023, DPDPA Rules (when notified), IT Act 2000, SPDI Rules, sectoral regulations (RBI, SEBI, IRDAI), EU GDPR for companies with EU exposure, and evolving Data Protection Board jurisprudence.
Regulatory Framework
Industries Served
Our Approach
The Vibe Data Privacy framework structures our DPDPA implementation approach. We begin with a comprehensive gap assessment that maps current data processing activities against DPDPA requirements.
Data mapping identifies what personal data is collected, from whom, for what purpose, where it is stored, who has access, and where it is transferred. This mapping forms the foundation of the compliance programme.
Consent architecture design addresses how consent is obtained, recorded, managed, and withdrawn. We design consent mechanisms that comply with DPDPA requirements while maintaining user experience quality.
Privacy notices, internal policies, data processing agreements, and cross border transfer mechanisms are drafted based on the gap assessment findings. Implementation support includes system configuration guidance, process redesign, and staff training.
Ongoing compliance involves periodic audits, DPIA for new processing activities, breach response readiness, and regulatory monitoring.
Practical Guidance
Begin with data mapping. You cannot comply with DPDPA if you do not know what personal data you process, where it is stored, and who has access. Data mapping is not a one time exercise. It must be updated as processing activities change.
Design consent mechanisms for specificity. DPDPA requires consent for each specified purpose. Blanket consent for unspecified future processing will not satisfy the Act. Purpose specific consent with clear granularity is required.
Establish a breach response protocol before a breach occurs. The time to develop a response plan is not during a breach. Pre established protocols, designated response teams, and template notifications enable rapid response when incidents occur.
Review vendor and processor agreements for DPDPA alignment. Data Fiduciaries are responsible for processing conducted by Data Processors on their behalf. Contractual obligations must flow through the processor chain.
Children’s data deserves immediate attention. If your business collects data from users under 18, verifiable parental consent mechanisms and advertising restrictions must be implemented now.
Frequently Asked Questions
What is the maximum penalty under DPDPA?
The maximum penalty under DPDPA is INR 250 crore. Penalties are imposed by the Data Protection Board based on the nature and severity of the contravention. The Act specifies different penalty ranges for different types of violations.
Who is a Data Fiduciary under DPDPA?
Any person who alone or in conjunction with others determines the purpose and means of processing personal data. This includes companies, government agencies, and any entity that collects and processes personal data of individuals in India.
What are Data Principal rights under DPDPA?
Right to information about processing, right to correction and erasure, right to grievance redressal, and right to nominate another person to exercise rights. Data Fiduciaries must establish mechanisms to handle these requests within prescribed timelines.
How does DPDPA affect cross border data transfers?
DPDPA restricts transfers to countries not notified by the central government. The government will publish a list of permitted jurisdictions. Until then, businesses should assess their cross border transfer practices and implement contractual safeguards.
Is consent required for all processing under DPDPA?
DPDPA provides for consent based processing as the primary legal basis, with certain legitimate uses (contract performance, state functions, medical emergencies, and others specified in Section 7) that do not require consent. Consent must be free, specific, informed, unconditional, and unambiguous.
What is the Vibe Data Privacy framework?
It is our proprietary approach to DPDPA implementation. Rather than treating privacy as a compliance project with an end date, Vibe Data Privacy builds a governance system that is operational from day one and evolves with regulatory developments. Built by practising lawyers, not consultants.
Do companies need to appoint a DPO under DPDPA?
Significant Data Fiduciaries (as determined by the government based on volume and sensitivity of data processed) must appoint a Data Protection Officer based in India. Other data fiduciaries are not currently required to appoint a DPO but should designate a privacy function.
Why AMLEGALS
We have been working on Indian data protection since the Justice Srikrishna Committee report in 2018. Our understanding of DPDPA is not theoretical. It is built on years of engagement with the evolving framework.
The Vibe Data Privacy framework is not a compliance checklist. It is a governance system designed by practising lawyers who understand both the legal requirements and the operational realities of implementation.
Our multi disciplinary approach integrates data privacy with employment law (employee data), corporate law (governance obligations), technology law (AI and automated processing), and regulatory compliance (sectoral requirements). DPDPA does not exist in isolation, and neither does our advisory.
On This Page
Related Services
Data Privacy & DPDPA Advisory
Connect with our data privacy practice team to discuss your requirements.